From: Stephen Smalley <sds@tycho.nsa.gov>
To: Andrew Gunnerson <andrewgunnerson@gmail.com>, selinux@tycho.nsa.gov
Subject: Re: "SELinux: ebitmap: truncated map" after editing with libsepol
Date: Wed, 17 Dec 2014 09:02:27 -0500 [thread overview]
Message-ID: <54918CF3.4060701@tycho.nsa.gov> (raw)
In-Reply-To: <54914D21.9030800@gmail.com>
On 12/17/2014 04:30 AM, Andrew Gunnerson wrote:
> Hello all,
>
> I have a very simple test program to help with debugging my Android
> dual booting project. It reads the current policy from
> /sys/fs/selinux/policy,
> changes a single type to be permissive, and then loads the new policy
> by writing it to /sys/fs/selinux/load. The problem is, after editing the
> policy with sepol, it fails to load and the kernel prints the following
> message in dmesg: "SELinux: ebitmap: truncated map".
>
> The program reads and writes the policy file using the standard fopen
> and policydb_read/policydb_write calls. I then set a few types to be
> permissive using the following loop:
>
> ...
> char *name;
> int is_permissive;
> char **types = (null terminated char* array)
> char **type;
> ...
> for (unsigned int i = 0; i < pdb->p_types.nprim - 1; i++) {
> name = pdb->p_type_val_to_name[i];
> is_permissive = ebitmap_get_bit(&pdb->permissive_map, i + 1);
>
> if (!is_permissive) {
> for (type = types; *type; type++) {
> if (strcmp(*type, name) == 0) {
> ebitmap_set_bit(&pdb->permissive_map, i + 1, 1);
> break;
> }
> }
> }
> }
> ...
>
> I've been trying to debug this for many hours, but I can't seem to figure
> out why this is happening. Is there a simple mistake I'm overlooking or
> am I approaching this in a completely wrong way?
>
> Thanks in advance! Any help is greatly appreciated!
>
> Andrew Gunnerson
>
>
> PS: This is running on Android 5.0 with libsepol 2.4-rc4 and kernel
> 3.4.0-g88fbc66.
The implementation of /sys/fs/selinux/load requires you to write the
entire policy in a single write(2) call, so you can't use stdio methods
for writing the policy image. policydb_write() the image to memory and
then call security_load_policy() on that memory region.
Also, you can see a working example of a program that does this kind of
thing (but on files rather than directly to /sys/fs/selinux/load) in
sepolicy-inject,
https://bitbucket.org/joshua_brindle/sepolicy-inject
Any particular reason you are building a pre-release upstream libsepol
rather than the one included in AOSP (external/libsepol)? Admittedly,
that is only built for the host, not the device, presently, so you'd at
least need to change that.
next prev parent reply other threads:[~2014-12-17 14:02 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-17 9:30 "SELinux: ebitmap: truncated map" after editing with libsepol Andrew Gunnerson
2014-12-17 14:02 ` Stephen Smalley [this message]
2014-12-17 14:04 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54918CF3.4060701@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=andrewgunnerson@gmail.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.